User Management can be one of the most time consuming tasks for network administrators. Automation, good policies, and an educated user community are the keys to keeping your support calls to a minimum. And with Windows
2000 you can now grant more specific permissions to support staff without giving them full Administrator privileges.

Recommended Books

Windows
2000 User ManagementBy Lori Sanders. Published by New Riders, March 2000.
Paperback 239 pages. ISBN 156205886X Help desk
managers and administrators who spend much of their time
managing users will find this book invaluable. Although
this topic is covered in many Windows 2000 references,
this book is by far more practical, comprehensive, and
easier to read. The author writes from her own
experiences, relating real world examples, pitfalls,
criticisms, and advice that any administrator can
benefit from. Divided into three sections, the book
begins with an overview of the new user management
functions in Windows 2000, as well as an overview of
Active Directory. The mid section covers User management
including group management, migrating users from other
directory structures, ADSI scripting, and creating
users. The final section focuses on managing the users
environment and desktop.

Where to start...

Step-by-Step Guide to User Data and User Settings
This guide includes scenarios showing the benefits of User Data Management and User Settings Management. It is designed to help administrators understand how they can use these features in their organizations. Source: Microsoft.com (March 2, 2000)

Useful articles

Administration

Creating User and Group Reports in Windows NT
Microsoft Knowledge Base Article: 137848 - There are no graphical or command line utilities that produce comprehensive reports on groups, users and permissions included with the Windows NT Operating System or the Windows NT Resource Kit. The NET commands and the Windows NT 3.5
Resource Kit ADDUSERS.EXE and PERMS.EXE utilities can be used to create limited administrative reports by piping the output to a text file.

HOW TO: Assign a Home Directory to a User
Microsoft Knowledge Base Article: 320043 - This step-by-step article describes how to assign a home directory to a user by using the Active Directory Users and Computers MMC, the Computer Management MMC, a logon script, or the command
line.

How to Generate a List of Users
Microsoft Knowledge Base Article: 149781 - The User Manager application does not provide a method for generating a list of user accounts for a Microsoft Windows NT server or domain.

How to Modify the Right to Display Users in User Manager
Microsoft Knowledge Base Article: 180782 - When you use the User Manager tool on a computer running Windows NT, domain users or Guest account users may be able to display the list of user accounts and group accounts. This article describes how to use the Listacct.exe tool to modify

Usrmgr Not Just for Domains
Use User Manager for Domains to manage workstation and member
server accounts. Source: Windows & .NET Magazine (August
2002)

Creating
Accounts

AddUsers Automates Creation of a Large Number of Users
Microsoft Knowledge Base Article: 199878 - The Addusers.exe tool
for Windows NT is a 32-bit administrative utility that uses a
comma-delimited text file to create, modify, and delete user
accounts. Addusers is most beneficial when the information to be
manipulated is maintained in a spreadsheet, such as one created
with Microsoft Excel, that can be converted to a comma-delimited
file. You must be a member of the Administrators group on the
target computer to add accounts and a member of the Users group
to write to accounts.

Basic User Account Creation with ADSI Scripting
Microsoft Knowledge Base Article: 230750 - The Active Directory Services Interface (ADSI) tool provides a single consistent set of interfaces that can be called in scripts using the Microsoft Windows Script Host, or other scripting languages (VBScript and JScript are supported natively).

Creating a Workstation only Administrator
Microsoft Knowledge Base Article: 125782 - Describes how to add a pseudo-administrative account to a domain to allow a user to administer and maintain Windows NT workstations but not servers.

Configuring
Accounts

Batch Process to Create and Grant Access to Home Directories
Microsoft Knowledge Base Article: 155449 - When administrators need to create large numbers of users and corresponding home directories, the task can be simplified by using a batch process rather than creating each home directory individually through Windows NT File Manager or Windows

HOW TO: Configure a User Account to Log on to Windows 2000-Based Computer from a NetWare Client
Microsoft Knowledge Base Article: 316100 - This step-by-step article describes how to configure a domain user account so that it can log on to a Windows 2000 Server-based computer (on which File and Print services for NetWare is installed) from a NetWare client computer.
After you do so, the user account will be able to access
resources on this server from a NetWare client computer.

HOW TO: Delegate Administrative Authority in Windows 2000
Microsoft Knowledge Base Article: 315676 - This step-by-step article describes how to delegate administrative authority in Windows 2000. An administrator can use this feature in Windows 2000 to delegate administrative authority over one or more organizational units
(OUs) to a user or group, without giving that user or group
administrative authority throughout the domain. This increases
the flexibility with which administrators can assign
responsibility over a specified set of user/group accounts,
printers, or other resources that can be placed into an
organizational unit.

How To Delegate the Unlock Account Right
Microsoft Knowledge Base Article: 294952 - This article describes the process to delegate the right to unlock locked user accounts to a particular group or user in Active
Directory.

Group Type and Scope Usage in Windows 2000
Microsoft Knowledge Base Article: 231273 - Microsoft Windows 2000 extends the Microsoft Windows NT 4.0 concept of user groups by adding Universal and Distribution groups. In Windows NT 4.0, there are only Global and Local groups, and both are considered Security
groups.

How to Add Special Groups to Built-In GroupsMicrosoft Knowledge Base Article: 292781 - If you, as the administrator, delete one of the memberships of a special group, such as Authenticated Users, from a Built-in Domain Local Users group on a domain controller in Windows 2000, you cannot re-add the group by using the Active
Directory Users and Computers tool. To add one of the special
groups to a domain local group on a domain controller, use the net
localgroup command.

HOW TO: Add Users to the Pre-Windows 2000 Compatible Access Group
Microsoft Knowledge Base Article: 303973 - This step-by-step article describes how the Pre-Windows 2000 Compatible Access group is used, why it is needed in a mixed-mode domain, and how to set up the group up by using the Active Directory Users and Computers snap-in and command line

Profiles

Differences in the User Profiles of Windows 95, Windows 98, Windows NT, and Windows 2000
Microsoft Knowledge Base Article: 269378 - Microsoft Windows 95, Windows 98, Windows NT and Windows 2000 all contain and support user profiles and in many respects, they behave the same. However, there are some differences. These differences may cause a Windows 95 or Windows 98
user profile to not be used or transferred to a Windows NT 4.x
or Windows 2000 user profile with the exception of Windows 95
and Windows 98 clients that have been upgraded to Windows 2000
Professional. In this case, their user profile are converted.

Differences in the User Profiles in Windows
Microsoft Knowledge Base Article: 269378
- Windows 95, Windows 98, Windows NT and Windows 2000 contain and support user profiles, and in many respects, they behave the same. However, there are some differences. These differences may prevent a Windows 95 or Windows 98 user profile from being
used or transferred to a Windows NT 4. x or Windows 2000
user profile with the exception of Windows 95 and Windows 98
clients that have been upgraded to Windows 2000 Professional. In
this case, their user profile are converted.

How to Assign a Logon Script to a Profile for a Local User
Microsoft Knowledge Base Article: 258286 - This article describes how to assign a logon script to a profile for a local user's account on a Windows 2000 Professional workstation or a Windows 2000 Server. This logon script runs when the local user logs on locally to the computer.

How to Assign the Administrator Profile to Other Users
Microsoft Knowledge Base Article: 156568 - In Windows NT 4.0 and in Windows 2000, if you log on as an administrator and make some changes to your desktop, such as moving the taskbar, creating a shortcut, or installing software, and then log off and log on again as another user who has equivalent access right as administrator, you will find that all the changes made by the administrator are not available.

HOW TO: Configure Client User Profile Information for a Roaming
User on Windows 2000
Microsoft Knowledge Base Article:
307964 - Roaming users move between different computers on a
network. This article describes the procedures that you have to
use to enable and configure profile information for each of the
roaming users in your organization. This article assumes the
operating system on your primary domain controller (PDC)
is Windows 2000

HOW TO: Create a Custom Default User Profile
Microsoft Knowledge Base Article: 305709 - This article describes how to create a custom default user profile in Windows 2000. A custom default user profile is helpful if several people use the same computer but each user wants a separate profile along with access to shared resource.

HOW TO: Create a Roaming User Profile
Microsoft Knowledge Base Article: 302082 - This step-by-step article describes how to create a roaming user profile. Roaming user profiles provide the user with the same working environment, no matter which Microsoft Windows NT-based computer to which the user logs
on.

HOW TO: Delete a User Profile
Microsoft Knowledge Base Article: 313918 - This step-by-step article describes how to delete a user profile from a local computer. If you use this method, you delete the %SystemRoot%\Documents and
Settings.

How to Move the Location of a Locally Cached Profile
Microsoft Knowledge Base Article: 214470 -
By default, the locally cached copy of a profile is stored in %SystemRoot%\Profiles\, which may be an issue if you have a large number of people logging on to a computer.
If you have a large number of people logging on to a computer
(which creates a large number of profiles), disk space on the
operating system partition may become scarce. You can move the
locally cached copy of a profile to another local partition

How to Prevent a User from Changing the User Profile Type
Microsoft Knowledge Base Article: 150919 - If roaming user profiles are used with Windows NT 4.0 systems, system administrators may wish to not allow users to change the profile type to local. To do this, remove the read permission from the %systemroot%\System32\Sysdm.cpl file for the users or groups that should not be able to modify profile settings. This removes the System icon from Control Panel. As a result, those users cannot change system settings.

HOW TO: Restore a User Profile
Microsoft Knowledge Base Article: 314045 - This step-by-step article describes how to restore a user profile as well as the following user profile
items:

How to Use
%LOGONSERVER% to Distribute User Profiles
Microsoft Knowledge Base Article: 141714 -
If you want to specify a domain server that validates a user logon, use the environment variable
%LOGONSERVER% in a PATH statement. This article describes how you can use
%LOGONSERVER% to distribute user
profiles.

How to Use Windows 95 and Windows 98 Roaming User Profiles with Windows 2000 Server
Microsoft Knowledge Base Article: 264866 - Windows 95 and Windows 98 clients support the use of roaming user profiles; however, they behave differently from the user profiles found in Windows NT 4 and Windows 2000. This article explains how to implement roaming user profiles for
Windows 95 and Windows 98 clients connecting to a computer running Windows 2000 Server

Roaming Profile Creation in Windows Using the "Copy To" Command
Microsoft Knowledge Base Article: 243420 - Roaming profiles contain user work environments, which include the desktop items and settings. Some examples of these environments are screen colors, mouse settings, window size and position, and network and printer connections. Roaming profiles...

User Profile Storage in Windows 2000
Microsoft Knowledge Base Article: 228445 - The naming convention for user profile folders in Windows 2000 is different from that used in Microsoft Windows NT 4.0 and earlier versions. This article describes the location for user profile folders and how subfolders are created for
individual user profiles.

14 Day Password Change Notification Cannot be Changed
Microsoft Knowledge Base Article: 135403 - In Windows NT 3.x, when your password is 14 days from expiration, you receive a Password Change Notification when logging on requesting you to change your password. If the Maximum Password Age is set to 30 days, you receive the notice when
your password is only half way through its life span. Although you may wish to change the advance time of the reminder, the Password Change Notification is hard coded at 14 days in Windows NT 3.x and is not configurable. In Windows NT 4.0, a new registry parameter is available to
allow administrators to configure the number of days at which the Password Change Notification is presented. The implementation of this new parameter requires that the registry change be made on the client computer.

HOW TO: Monitor for Unauthorized User Access
Microsoft Knowledge Base Article: 300958 - This article describes how to monitor your system for unauthorized user access. There are two main steps: Enabling security auditing and viewing the security logs. Note that different systems have different security needs, and the security
topic is complex. Any user who sets up security audits on your
system must be assigned to administrative groups or be given
security rights and privileges.

How to Prevent a User from Changing the User Profile Type
Microsoft Knowledge Base Article: 150919 - If roaming user profiles are used with Windows NT 4.0 systems, system administrators may wish to not allow users to change the profile type to local. To do this, remove the read permission from the %systemroot%\System32\Sysdm.cpl file for the users or groups that should not be able to modify profile settings. This removes the System icon from Control Panel. As a result, those users cannot change system settings.

Account Lockout Is Not Audited for Local/SAM User Accounts
Microsoft Knowledge Base Article: 314786 - If a local Security Accounts Manager (SAM) account on a workstation or server (either a workgroup or domain member) is automatically locked because the bad password count passes the threshold, the event is not audited even if auditing is
turned on

Troubleshooting Articles

"Access Denied" Error Message When Updating Roaming User Profile
Microsoft Knowledge Base Article: 257848 - When a user with a roaming user profile logs off, the following error message may be
displayed: Windows cannot update your
roaming profile. Contact your network administrator. DETAIL -
Access is denied The same user may have no problem when
logging off a Microsoft Windows NT 4.0-based client using the
same roaming profile. With Windows 2000-based clients, the
behavior is the same whether the roaming profile server is a
Windows NT 4.0-based or Windows 2000-based server.

AddUsers Automates Creation of a Large Number of Users
Microsoft Knowledge Base Article: 199878 - The Addusers.exe tool for Windows NT is a 32-bit administrative utility that uses a comma-delimited text file to create, modify, and delete user accounts. Addusers is most beneficial when the information to be manipulated is maintained in a
spreadsheet, such as one created with Microsoft Excel, that can
be converted to a comma-delimited file. You must be a member of
the Administrators group on the target computer to add accounts
and a member of the Users group to write to accounts.

Cannot Copy Current User Profile
Microsoft Knowledge Base Article: 227575 - When you are logged on as a user and you use the System tool to copy your current profile, you may receive the following error message:

Cannot Use "/" Character in Local Group Names
Microsoft Knowledge Base Article: 218925 - You cannot use the forward slash character (/) in group names in Windows 2000. Note that group names created in Microsoft Windows NT 4.0 do allow the forward slash character.

Cannot Use Users and Passwords Wizard After Installing Multilanguage Pack
Microsoft Knowledge Base Article: 285790 - After you install Multilanguage Pack (MUI) and choose a preferred language (such as French) for menus and dialog boxes, the Users and Passwords Wizard does not create new standard users, and generates the following error message:
The user could not be added because the
following error occurred: the group name cannot be found (updated 6/20/2001)

Cannot Use "Copy To" Button for a Domain User Profile from Windows 2000 Professional
Microsoft Knowledge Base Article: 255573 - Administrators cannot use
the Copy To button on the User Profiles tab in
System properties to copy a domain user profile from a Windows
2000 Professional-based computer that is a member of a Microsoft
Windows NT 4.0-based domain. When you attempt to do so, the Look
in box in the Select User or Group dialog box does
not display the list of domains. Instead, the Look in box
is unavailable, and the name of the local computer is the only
available name. (updated 2/22/2001)

Groups with Certain Characters Cannot Be Created in Windows 2000
Microsoft Knowledge Base Article: 301222 - In Microsoft Windows NT version 4.0 a bug exists that permits the creation of groups with restricted characters. In Windows 2000 this bug is corrected by adding a check on the server before a group can be created with these characters.
Although an upgrade is not blocked nor are any existing groups
with these names modified in any way, it is recommended that
groups with these names be renamed to conform to the normal
group-naming convention.

Guest Account Is a Member of the Domain Users Group
Microsoft Knowledge Base Article: 312136 - In a Windows 2000 domain where anonymous access has been turned on for the Guest account, the Guest account has access to resources that Domain Users are granted permissions to. The Guest account is a member of the Domain Users
group.

Folder Redirection Does Not Work After You Delete a Profile
Microsoft Knowledge Base Article: 309144 - If you delete a user's profile and then later re-create the profile, the folder-redirection portion of a policy may not be reapplied when the user logs on to a workstation. The rest of the policy is applied correctly. If you then change the

No Domains Listed in "Copy to" Dialog Box for Profiles
Microsoft Knowledge Base Article: 257489 - When you copy user profiles to another location, you can optionally change who is permitted to use a profile by selecting from a list of users and groups from the local computer account database (for a member server or Windows 2000 Professional

Permissions for Distribution Group Are Not in the Standard Format
Microsoft Knowledge Base Article: 290801 - When you use Active Directory Users and Computers to view permissions for a distribution group whose membership is hidden, the
Special Security message box is displayed. The following
message is displayed in the message box:

Invalid Network Home Directory Specified in User Manager
Microsoft Knowledge Base Article: 128795 - If you specify an invalid network Home Directory for a User Environment Profile in the user object properties, an error message
appears: Windows can not edit the permissions on 'Group Name'
because they have been written in a nonstandard format by
another application. To enable editing, you must use the
application to restore the permissions to a standard format.
After you click OK, the permissions are displayed.

Roaming User Profiles Do Not UnloadMicrosoft Knowledge Base Article: 253820 - When you log off of your Windows 2000-based computer, you may receive an error message that indicates that your user profile cannot be unloaded. You may also receive the following event in the event log:

Users with Roaming Profiles Cannot Use EFS On Domain Controllers
Microsoft Knowledge Base Article: 311513 - If the Encrypting File System (EFS - feature is configured for use in a Windows 2000-based domain environment and the "Delete cached copies of roaming profiles" policy is enabled, users with roaming profiles can encrypt files on Windows 2000

This site and its contents are Copyright 1999-2003 by LabMice.net. Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is
affiliated with LabMice.net. The products referenced in this site are provided by parties other than LabMice.net. LabMice.net makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be
directed to the appropriate manufacturer or vendor.